SlideShare uma empresa Scribd logo

Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case

Manuel Brugnoli
Manuel Brugnoli

This document describes a vulnerability assessment of the VOMS Core middleware package using a First Principles Vulnerability Assessment (FPVA) approach. The FPVA involves analyzing the VOMS Core architecture, resources, privileges, and components. No serious security vulnerabilities were found except for a potential denial of service issue. The VOMS Core design limits attacks through secure communication, privilege separation, and input validation. However, a lack of limits on simultaneous connections could enable a denial of service attack.

Tecnologia
1 de 20
Baixar para ler offline
www.egi.euEGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.euEGI-InSPIRE RI-261323 Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case Manuel Brugnoli, Elisa Heymann UAB
www.egi.euEGI-InSPIRE RI-261323 Outline • First Principles Vulnerability Assessment (FPVA) • VOMS Core • VOMS Core assessment using FPVA • Conclusions Contents
www.egi.euEGI-InSPIRE RI-261323 “Is a primarily analyst-centric (manual) approach to assessment, whose aim is to focus the analyst’s attention on the parts of the software system and its resources that are mostly likely to contain vulnerabilities that would provide access to high-value assets”* * James A. Kupsch, Barton P. Miller, Eduardo César, and Elisa Heymann, "First Principles Vulnerability Assessment" (extended version), MIST Project Technical Report, September 2009. First Principles Vulnerability Assessment (FPVA)
www.egi.euEGI-InSPIRE RI-261323 Architecture Resources Privileges Components Dissemination to identify the major structural components of the system, including modules, threads, processes, and hosts.to identify the key resources accessed by each component, and the operations supported on those resources.identifies the trust assumptions about each component, answering such questions as how are they protected and who can access them? is to examine each component in depth. A key aspect is that this step is guided by information obtained in the first three steps, helping to prioritize the work so that highvalue targets are evaluated first. artifacts produced by this step are vulnerability reports, perhaps with suggested fixes, to be provided to the middleware developers. First Principles Vulnerability Assessment (FPVA)
www.egi.euEGI-InSPIRE RI-261323 Virtual Organization Membership Service (VOMS) serves as a central repository for user authorization information, providing support for sorting users into a general group hierarchy, keeping track of their roles, etc. VOMS Core is the server that receives requests from a VOMS client and returns information about the user. We worked with VOMS Core 2.0.2. VOMS Core assessment using FPVA
www.egi.euEGI-InSPIRE RI-261323 VOMS Server Host DB VOMS Admin (Tomcat) VOMS daemon User Host Web Browser VOMS Client VOMS Admin Client HTTPS SOAP over SSL Ancillary Utilities GSI Connection OS privileges user daemon root DB privileges VO_Server Command Line Command Line Web Command Line Step 1: VOMS 2.0.2 Architecture Analysis
www.egi.euEGI-InSPIRE RI-261323 Step 1: VOMS Client-Server Interaction
www.egi.euEGI-InSPIRE RI-261323 Step 2: VOMS Core 2.0.2 Resource Analysis
www.egi.euEGI-InSPIRE RI-261323 Step 2: VOMS Core 2.0.2 Resource Analysis
www.egi.euEGI-InSPIRE RI-261323 Step 3: VOMS Core 2.0.2 Privilege Analysis
www.egi.euEGI-InSPIRE RI-261323 • Resource permissions: • Evaluated the permissions of files that have a high security value (certificate private keys, database and configuration files). • The permissions of these files appeared to be correct. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 • User privileges: • Client side: • No privilege problems in the client commands. • Server side: • The voms daemon runs with root operating system privileges. • Evaluated the source code looking for flaws that may compromise the server. • No privilege problems were found. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 • Dangerous functions: • Evaluated the use of functions that commonly result in security problems, such as system or exec family functions. • No vulnerabilities related to dangerous functions were found. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 • Authentication Issues: • Mutual authentication is performed between the client and server. • VOMS design makes the system quite strong, and reduces many possible threats. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 • Network Layer Security: • VOMS server creates a secure communication channel via Globus GSI with the VOMS Clients. • The use of a encrypted channel provides strong end-to-end data encryption and integrity. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 • Injection Attacks: • Evaluated the source code to ensure VOMS correctly parses and checks the arguments passed through the command line. • Appropriate parsing is performed to protect against command injection vulnerabilities. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 • Buffer overflows: • VOMS Core is written in C/C++ → Checked for potential buffer overflow problems. • No dangerous behavior was detected. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 • Denial of Service Attacks: • A DoS vulnerability was discovered and reported to the VOMS developers. • This vulnerability is caused by lack of limits on the number of simultaneous connections. • Full details about this were reported in the vulnerability report VOMS-CORE-2011-0001. Step 4: VOMS Core 2.0.2 Component Analysis
www.egi.euEGI-InSPIRE RI-261323 ConclusionsConclusions No serious security problems in VOMS Core 2.0.2 was found: • The attack surface in VOMS Core is very small. • VOMS Core correctly parses and checks the arguments sent from the client. • The VOMS server uses a forking server model to handle all requests from VOMS clients. • The recommended operational configuration of a VOMS server node is a highly secured host with limited local user access and other services. • All communication between the VOMS server and VOMS clients is secure. • A DoS vulnerability was found.
www.egi.euEGI-InSPIRE RI-261323 ¿Questions? Thank you!!!

Recomendados

Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection Attack
Raghav Bisht
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
Computer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacksComputer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacks
Tesfahunegn Minwuyelet
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Framework
n|u - The Open Security Community
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK Framework
Sandeep Jayashankar
 
Distributed systems
Distributed systemsDistributed systems
Distributed systems
Mohammad Reza Gerami
 
Red Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityRed Teaming and Energy Grid Security
Red Teaming and Energy Grid Security
EnergySec
 
Thisworldofours
ThisworldofoursThisworldofours
Thisworldofours
jennyevans555
 

Recomendados

Os Command Injection Attack
Os Command Injection AttackOs Command Injection Attack
Os Command Injection Attack
Raghav Bisht
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
Computer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacksComputer security Description about SQL-Injection and SYN attacks
Computer security Description about SQL-Injection and SYN attacks
Tesfahunegn Minwuyelet
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Framework
n|u - The Open Security Community
 
Evaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK FrameworkEvaluating container security with ATT&CK Framework
Evaluating container security with ATT&CK Framework
Sandeep Jayashankar
 
Distributed systems
Distributed systemsDistributed systems
Distributed systems
Mohammad Reza Gerami
 
Red Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityRed Teaming and Energy Grid Security
Red Teaming and Energy Grid Security
EnergySec
 
Thisworldofours
ThisworldofoursThisworldofours
Thisworldofours
jennyevans555
 
Security trend analysis with CVE topic models
Security trend analysis with CVE topic modelsSecurity trend analysis with CVE topic models
Security trend analysis with CVE topic models
Thomas Zimmermann
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
kiansahafi
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.
Michael Ducy
 
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...
apidays
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
n|u - The Open Security Community
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
Michael Man
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)
Canturk Isci
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
Runcy Oommen
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo Sandbox
Andy Lee
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
Ravikumar Paghdal
 
Chapter 6 overview
Chapter 6 overviewChapter 6 overview
Chapter 6 overview
ali raza
 
Application cloudification with liberty and urban code deploy - UCD
Application cloudification with liberty and urban code deploy - UCDApplication cloudification with liberty and urban code deploy - UCD
Application cloudification with liberty and urban code deploy - UCD
Davide Veronese
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Results
jtmelton
 
Envoy @ Lyft: developer productivity (kubecon 2.0)
Envoy @ Lyft: developer productivity (kubecon 2.0)Envoy @ Lyft: developer productivity (kubecon 2.0)
Envoy @ Lyft: developer productivity (kubecon 2.0)
Jose Ulises Nino Rivera
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
Paulo Renato
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Rana Khalil
 
Laying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on SparkLaying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on Spark
Ionic Security
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
OWASP
 
ThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptx
Grace Jansen
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
 

Mais conteúdo relacionado

Semelhante a Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case

How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
Ksenia Peguero
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.
Michael Ducy
 
Chapter 6 overview
Chapter 6 overviewChapter 6 overview
Chapter 6 overview
ali raza
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Results
jtmelton
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
OWASP
 
ThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptx
Grace Jansen
 

Semelhante a Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case (20)

Security trend analysis with CVE topic models
Security trend analysis with CVE topic modelsSecurity trend analysis with CVE topic models
Security trend analysis with CVE topic models
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
 
Open source security tools for Kubernetes.
Open source security tools for Kubernetes.Open source security tools for Kubernetes.
Open source security tools for Kubernetes.
 
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...
apidays LIVE New York 2021 - Supercharge microservices with Service Mesh by S...
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
A Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo SandboxA Distributed Malware Analysis System Cuckoo Sandbox
A Distributed Malware Analysis System Cuckoo Sandbox
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Chapter 6 overview
Chapter 6 overviewChapter 6 overview
Chapter 6 overview
 
Application cloudification with liberty and urban code deploy - UCD
Application cloudification with liberty and urban code deploy - UCDApplication cloudification with liberty and urban code deploy - UCD
Application cloudification with liberty and urban code deploy - UCD
 
Watch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty ResultsWatch How The Giants Fall: Learning from Bug Bounty Results
Watch How The Giants Fall: Learning from Bug Bounty Results
 
Envoy @ Lyft: developer productivity (kubecon 2.0)
Envoy @ Lyft: developer productivity (kubecon 2.0)Envoy @ Lyft: developer productivity (kubecon 2.0)
Envoy @ Lyft: developer productivity (kubecon 2.0)
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
 
Laying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on SparkLaying the Foundation for Ionic Platform Insights on Spark
Laying the Foundation for Ionic Platform Insights on Spark
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
 
ThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptxThroughTheLookingGlass_EffectiveObservability.pptx
ThroughTheLookingGlass_EffectiveObservability.pptx
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Último (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case

  • 1. www.egi.euEGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.euEGI-InSPIRE RI-261323 Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case Manuel Brugnoli, Elisa Heymann UAB
  • 2. www.egi.euEGI-InSPIRE RI-261323 Outline • First Principles Vulnerability Assessment (FPVA) • VOMS Core • VOMS Core assessment using FPVA • Conclusions Contents
  • 3. www.egi.euEGI-InSPIRE RI-261323 “Is a primarily analyst-centric (manual) approach to assessment, whose aim is to focus the analyst’s attention on the parts of the software system and its resources that are mostly likely to contain vulnerabilities that would provide access to high-value assets”* * James A. Kupsch, Barton P. Miller, Eduardo César, and Elisa Heymann, "First Principles Vulnerability Assessment" (extended version), MIST Project Technical Report, September 2009. First Principles Vulnerability Assessment (FPVA)
  • 4. www.egi.euEGI-InSPIRE RI-261323 Architecture Resources Privileges Components Dissemination to identify the major structural components of the system, including modules, threads, processes, and hosts.to identify the key resources accessed by each component, and the operations supported on those resources.identifies the trust assumptions about each component, answering such questions as how are they protected and who can access them? is to examine each component in depth. A key aspect is that this step is guided by information obtained in the first three steps, helping to prioritize the work so that highvalue targets are evaluated first. artifacts produced by this step are vulnerability reports, perhaps with suggested fixes, to be provided to the middleware developers. First Principles Vulnerability Assessment (FPVA)
  • 5. www.egi.euEGI-InSPIRE RI-261323 Virtual Organization Membership Service (VOMS) serves as a central repository for user authorization information, providing support for sorting users into a general group hierarchy, keeping track of their roles, etc. VOMS Core is the server that receives requests from a VOMS client and returns information about the user. We worked with VOMS Core 2.0.2. VOMS Core assessment using FPVA
  • 6. www.egi.euEGI-InSPIRE RI-261323 VOMS Server Host DB VOMS Admin (Tomcat) VOMS daemon User Host Web Browser VOMS Client VOMS Admin Client HTTPS SOAP over SSL Ancillary Utilities GSI Connection OS privileges user daemon root DB privileges VO_Server Command Line Command Line Web Command Line Step 1: VOMS 2.0.2 Architecture Analysis
  • 7. www.egi.euEGI-InSPIRE RI-261323 Step 1: VOMS Client-Server Interaction
  • 8. www.egi.euEGI-InSPIRE RI-261323 Step 2: VOMS Core 2.0.2 Resource Analysis
  • 9. www.egi.euEGI-InSPIRE RI-261323 Step 2: VOMS Core 2.0.2 Resource Analysis
  • 10. www.egi.euEGI-InSPIRE RI-261323 Step 3: VOMS Core 2.0.2 Privilege Analysis
  • 11. www.egi.euEGI-InSPIRE RI-261323 • Resource permissions: • Evaluated the permissions of files that have a high security value (certificate private keys, database and configuration files). • The permissions of these files appeared to be correct. Step 4: VOMS Core 2.0.2 Component Analysis
  • 12. www.egi.euEGI-InSPIRE RI-261323 • User privileges: • Client side: • No privilege problems in the client commands. • Server side: • The voms daemon runs with root operating system privileges. • Evaluated the source code looking for flaws that may compromise the server. • No privilege problems were found. Step 4: VOMS Core 2.0.2 Component Analysis
  • 13. www.egi.euEGI-InSPIRE RI-261323 • Dangerous functions: • Evaluated the use of functions that commonly result in security problems, such as system or exec family functions. • No vulnerabilities related to dangerous functions were found. Step 4: VOMS Core 2.0.2 Component Analysis
  • 14. www.egi.euEGI-InSPIRE RI-261323 • Authentication Issues: • Mutual authentication is performed between the client and server. • VOMS design makes the system quite strong, and reduces many possible threats. Step 4: VOMS Core 2.0.2 Component Analysis
  • 15. www.egi.euEGI-InSPIRE RI-261323 • Network Layer Security: • VOMS server creates a secure communication channel via Globus GSI with the VOMS Clients. • The use of a encrypted channel provides strong end-to-end data encryption and integrity. Step 4: VOMS Core 2.0.2 Component Analysis
  • 16. www.egi.euEGI-InSPIRE RI-261323 • Injection Attacks: • Evaluated the source code to ensure VOMS correctly parses and checks the arguments passed through the command line. • Appropriate parsing is performed to protect against command injection vulnerabilities. Step 4: VOMS Core 2.0.2 Component Analysis
  • 17. www.egi.euEGI-InSPIRE RI-261323 • Buffer overflows: • VOMS Core is written in C/C++ → Checked for potential buffer overflow problems. • No dangerous behavior was detected. Step 4: VOMS Core 2.0.2 Component Analysis
  • 18. www.egi.euEGI-InSPIRE RI-261323 • Denial of Service Attacks: • A DoS vulnerability was discovered and reported to the VOMS developers. • This vulnerability is caused by lack of limits on the number of simultaneous connections. • Full details about this were reported in the vulnerability report VOMS-CORE-2011-0001. Step 4: VOMS Core 2.0.2 Component Analysis
  • 19. www.egi.euEGI-InSPIRE RI-261323 ConclusionsConclusions No serious security problems in VOMS Core 2.0.2 was found: • The attack surface in VOMS Core is very small. • VOMS Core correctly parses and checks the arguments sent from the client. • The VOMS server uses a forking server model to handle all requests from VOMS clients. • The recommended operational configuration of a VOMS server node is a highly secured host with limited local user access and other services. • All communication between the VOMS server and VOMS clients is secure. • A DoS vulnerability was found.